Publish docker images to ghcr.io

.github/dependabot.yaml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      day: "monday"

.github/workflows/clean-containers.yaml

@@ -0,0 +1,33 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: ghcr actions
+
+on:
+  schedule:
+    - cron: "21 21 * * *"
+
+jobs:
+  clean-ghcr:
+    name: Delete old unused container images
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: downcase REPO name
+        run: |
+          echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+      - name: Delete 'PR' containers older than a week
+        uses: snok/container-retention-policy@v2.2.1
+        with:
+          image-names: ${{ env.REGISTRY }}/${{ env.REPO }}
+          filter-tags: sha-*,sha256:*
+          skip-tags: latest
+          cut-off: A week ago UTC
+          account-type: org
+          org-name: ${{ github.repository_owner }}
+          keep-at-least: 1
+          token: ${{ secrets.GH_REPO_TOKEN }}
+          timestamp-to-use: updated_at

.github/workflows/publish.yaml

@@ -0,0 +1,50 @@
+name: Build and Publish
+
+on: [push]
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: downcase REPO name
+        run: |
+          echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.REPO }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=sha,enable=true,priority=100,prefix=sha-,suffix=,format=short
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
+            org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+            org.opencontainers.image.revision=${{ github.sha }}

README.md

@@ -38,6 +38,8 @@ The app contacts `url_oidc` on startup and retrieves the `authorization_endpoint
 uvicorn main:app --reload
 ```
 ### For Deployment
+The docker image copies `config.json` from the current directory, so either edit the values before building the image, or mount a file with correct values into the container.
+
 Build image
 ```
 docker build -t cscfi/tiny-rp .

config.json

@@ -0,0 +1,11 @@
+{
+    "client_id": "",
+    "client_secret": "",
+    "url_oidc": "https://openid-provider.org/oidc/.well-known/openid-configuration",
+    "url_callback": "http://localhost:8080/callback",
+    "url_redirect": "http://localhost:8080/frontend",
+    "scope": "openid",
+    "resource": "something",
+    "cookie_domain": "",
+    "cors_domains": [""]
+}